-1

I run docker Openvpn container in CoreOS:

docker run --cap-add NET_ADMIN --device /dev/net/tun ...

Container connects to VPN as client and other VPN clients can ping the container. It runs normal openvpn process inside it with dev tun option in config.

My task is to make host ports (-publushed ports from any other containers) on this machine available to other VPN clients, via that tun0 inside VPN client container (so it must be host's to set up routing?). How to implement this?

Croll
  • 3,631
  • 6
  • 30
  • 63
  • Your main container is an openvpn client connected to a remote vpn server ? and you want other connect through this container without running openvpn itself (becuase its already running in the container) ? – Mostafa Hussein Mar 17 '19 at 15:09
  • Yes. I am trying to build a VPN-only visible coreos worker, e.g. machine should expose everything it has to the VPN network it is connected to as a client. I use https://github.com/tsaikd/docker-openvpn – Croll Mar 17 '19 at 15:11
  • So me as a user should access a service through it because it requires vpn ip and so on, right ? I have built similar scenario before i am just ensuring before submitting an answer :D – Mostafa Hussein Mar 17 '19 at 15:12
  • Yes, some few ports will be accessed directly of course, but most are vpn-only services for other machines in VPN. Thanks – Croll Mar 17 '19 at 15:14

1 Answers1

1

So I will assume that you have a container connected to a VPN server and you need to access a server through this container due to IP restrictions and so on.

1- In case you are using Bridge Network which is the default when you run a container:

In order to achieve you will need to have IPTables installed inside the container and after starting the VPN connection run the following command:

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

And from the host machine where you want to access a service you can use iproute command to route the connection through the container as below:

Assuming you want to access a remote server with IP 192.168.0.20 through a container with IP: 172.17.0.4

ip route add 192.168.0.20 via 172.17.0.4

Now whenever you access the server which is 192.168.0.20 it will be through the VPN client inside your container.

2- You can pass --network=host to docker run and in this case you wont need any extra steps to do as the connection will be routed through the VPN by default

Update:

Given that you have a Container Y with port 9000 and accessible through Container X.

Container X is connected to a VPN.

A User connected to the same VPN wants to access Container Y and he should go through Container X, then you need to apply the following firewall rules inside Container X

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE 

iptables -t nat -A PREROUTING -i tun0 -p tcp --dport 9000 -j DNAT --to-destination $CONTAINER_Y_DOCKER_IP 

iptables -t nat -A POSTROUTING -p tcp -d $CONTAINER_Y_DOCKER_IP --dport 9000 -j SNAT --to-source $CONTAINER_X_DOCKER_IP

iptables -A FORWARD -m state -p tcp -d $CONTAINER_Y_DOCKER_IP --dport 9000 --state NEW,ESTABLISHED,RELATED -j ACCEPT
Mostafa Hussein
  • 11,063
  • 3
  • 36
  • 61
  • Let me try. I actually found chain `DOCKER` in container's iptables that includes my publushed ports, by the way. I don't yet understand what's this. I just used `--network host` alongside with `--device` and `--cap-add`. – Croll Mar 17 '19 at 15:23
  • My scenario above applies on a bridge network (the default docker setup), if you intend to use host network then by default the communication will be routed through it no additional steps are needed – Mostafa Hussein Mar 17 '19 at 15:25
  • True! I can use my ports as `localhost` inside VPN container already. Will check why other VPN clients can't knock them from their side. It is surely the container trouble, not client's. – Croll Mar 17 '19 at 15:28
  • If you are meant to use a container with bridge network then the first method will be help you achieve that – Mostafa Hussein Mar 17 '19 at 15:29
  • Thank you! Both your suggestions are correct. However, i cannot access custom TCP port `9000` from another VPN client. I get connection refused error when doing `telnet 10.8.0.2 9000` (the ip of container vpn), while have iptables policy ACCEPT both in docker host and docker vpn container. Could you tell me what i can be missing? I use bridge network(default, without `--network ..`) – Croll Mar 17 '19 at 15:37